Interview: Standard "IEC 62443: Security for industrial automation and control systems" in Mexico
Since 2019, GPQI addresses the topic of cybersecurity in the context of digitalisation and Industrie 4.0, focusing on important international standards such as ISO/IEC 27001 and IEC 62443. The aim is to strengthen the application of internationally harmonised standards in the field of cyber- and information security to ensure higher security along global value chains.
In December 2021, the conformity assessment and standardisation body NYCE published the Mexican standard NMX-I-62443-4-1-NYCE-2021. It is internationally harmonised with the international standard "IEC 62443-4-1:2018: Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements". In this context, we interviewed Pablo Corona Fraga, Global Sales Director at NYCE and leading expert of the technical group for cybersecurity within the bilateral dialogue.
Why is cybersecurity important in the context of digitalisation and Industrie 4.0?
Pablo Corona: Today, most human activity is related to information systems and telecommunication technologies. These have an impact on the physical world far beyond the level of "bits and bytes", as they are interconnected with the digital world.
Almost every element that can be controlled is connected to an automation and control system. Therefore, it is relevant to talk about the security as the internet of things (IoT) implies greater connectivity, for example among industrial control devices.
The problem is that most of these devices were not initially designed to be connected to the internet, like the scale systems, also called Industrial Automation and Control System (IACS). They rather use joint local communication protocols called TCP/IP to enable internal communication. This compatibility allowed the establishment of communication mechanisms using isolation from other networks to prevent different kinds of attacks.
However, the advantages brought forth by isolation were lost when the interconnection with public internet networks emerged. It was then necessary to establish mechanisms that allowed the connection to the internet facilitating remote control and monitoring from anywhere in the world, whilst also maintaining the security and confidentiality of the processes and services that depend on this connection.
What was the international context when IEC 62443 standard was set up?
Pablo Corona: Standards are initially "de facto standards" before they become "formal standards". De facto standards for the secure transmission of communications, user authentication, secure storage, transaction validation, and other related elements already existed.
For the IEC 62443 standard, different solutions were aligned, making it a "multi-part" standard, specifically consisting of a four-part architecture: (1) General, (2) Policies and Procedures, (3) Systems and (4) Components. Each of these parts is comprised of sub-components that are complemented by references to keep other elements safe.
One of the references in Part 4-1 refers to the Open Web Application Security Project (OWASP). This open project is accessible to different professionals around the world and facilitates the establishment of safe web applications. Nowadays, this helps to enable industrial control, and communication mechanisms, among others. For this reference, OWASP practices were based on software development life cycles, considering the entire supply chain, such as programming language or databases and their vulnerabilities.
Another standard considered is "ISO/IEC 15408: Common Criteria". It identifies cybersecurity and information security features that components for critical mission processes must have. Generally, different components were adapted to identify best practices and avoid replicating previous mistakes.
Why was it important to adopt IEC 62443 as a national standard?
Pablo Corona: There are certainly advantages. The first is the increased accessibility to the standard resulting from its availability in Spanish. A national standard can help to overcome the language barrier and improve the comprehension of the local context.
The second aspect is the additional legal value. A local standard takes precedence over the international one, generating political certainty.
A third value-added contribution is the existence of an impartial body that can objectively evaluate the implementation of the standard. This is an example of the work that is also implemented by NYCE.
What was NYCE’s role in the development and adaptation of IEC 62443?
Pablo Corona: NYCE participates in national and international standardisation. At the international level, NYCE has represented Mexico in different working groups within international forums. International standardisation organisations such as the International Electrotechnical Commission (IEC) and the International Organization of Standardization (ISO) also bring together national standardisation bodies in "mirror committees". Through NYCE, internal and external experts from the industry, academia, government, and other relevant bodies can participate in international standardisation.
To adopt IEC 62443-4-1:2018 as a national standard, we translated it into Spanish. The terms and concepts were adapted according to local laws to avoid contradictions. In this way, it could be published as a national standard with legal validity.
The language of the Mexican standard is comprehensive and completely harmonised. This means that nothing from the international standard is omitted. It aims to contribute to certainty anywhere around the world, so that it can be easily applied regardless of the available infrastructure or technology.
From your perspective and as stakeholder in the Cybersecurity expert group of the German-Mexican dialogue on Quality Infrastructure, what is the impact of the cooperation activities in this topic?
Pablo Corona: Many impacts are expected, including building a community, as well as sharing and generating knowledge together in the field of cybersecurity.
Standards are disseminated in a language that is understandable to all the different stakeholders and decision-makers. It is important that they recognise and clearly understand the relevance of cybersecurity and its implementation. Therefore, knowledge generation is also key to ensure a comprehensible dissemination in support of stakeholders.
Finally, but perhaps most importantly, is the influence on public policy to implement good practices and enforce compliance with standards. This is also part of a security protection process with a positive impact on civil society.
Thank you very much Pablo Corona for this interview!
Pablo Corona Fraga is Global Sales Director at NYCE. He serves as vice-coordinator of the ISO working group, which develops the 27001 series of standards at the international level. He is also director of cybersecurity at the Internet Association MX (Asociación de Internet MX) and author of the book “Practical guide for risk management in the cybersecurity era”. He is a certified lead auditor for Information Security Services & Business Continuity Management System, IT Governance and Risk Management.